Shane Brown leads the construction industry practice at EKS&H.
Many construction companies are increasingly vulnerable to cyberattacks, as the proliferation of mobile devices and other field equipment connected to the internet make the industry a particularly easy target for hackers.
Construction businesses typically have a strong culture of promoting the importance of jobsite safety in their organizations, from top executives to the junior staff. Applying that same rigor to cybersecurity would serve construction companies well as threats proliferate in the years ahead.
A survey by Forrester finds that 75 percent of respondents in the construction, engineering and infrastructure industries had suffered a cyberattack in the past year. Construction companies are particularly vulnerable to hacking for industry-specific reasons. The sector has been quick to welcome the latest technology, embracing the use of such things as tablets that bring modern connectivity to disparate, remote jobsites.
However, that leaves systems vulnerable when those devices operate outside of secure networks. Construction firms also interact with many sub-contractors, vendors and clients, often sharing access to sensitive files with other firms where security may not always be the best.
When contractors email documents like spreadsheets with bid data, profit-margin information or blueprints (sometimes for military facilities or government projects), security is only as tight as the weakest link among those subcontractors, vendors and clients. Construction companies have a cultural challenge, too—with leadership typically taking a hands-off approach to information technology planning, leaving protection against phishing and ransomware to tech teams with limited resources and low organizational profiles.
One construction company recently had its system infiltrated hampering operations for weeks until a cash ransom was paid. These threats are real and can be debilitating.
Many construction firms are starting to come to grips with their cyber vulnerabilities because of new regulations. In the United States, contractors and subcontractors doing business with the U.S. government had to comply by the end of 2017 with NIST 800-171, a standard of measures to secure computer systems and data.
Similarly, Europe’s new General Data Protection Regulation (GDPR), demanding data privacy for individuals and corporations, went into effect in May. Britain also mandates that contractors on government projects must comply with security standards called Cyber Essentials . This trend of increasing regulations will persist and become a feature here in the U.S. In fact, a bill was introduced in the U.S. Senate late last year that would require businesses to better protect customer data and report system breaches within 30 days.
The good news for construction companies is that modestly priced solutions are readily available:
- Security assessments are a sure way to find vulnerabilities and gaps, such as inadequate permission levels for which people can access sensitive files, and employing software to alert IT staff to phishing efforts seeking credentials.
- After identifying vulnerabilities, firms can then match their challenges against any number of available protocols. Companies with government contracts should consult the NIST 800-171 security assessment. Others can judge how they stack up against the Center for Internet Security’s CIS Controls Top 20 list —a prioritized list of actions to protect against known cyberattack vectors—and then tackle vulnerable areas. CIS says following its top five controls will eliminate the vast majority of problems. Those top safeguards are undertaking an inventory of authorized and unauthorized devices, an inventory of authorized and unauthorized software, securing hardware and software configurations, establishing a process for continuous vulnerability assessment and remediation, and controlling the use of administrative privileges.
- Industry best practices suggest that companies should always assess potential cyber threats for each project, agree on who is responsible for keeping data secure on shared projects, understand what security measures each firm has in place and whether a subcontractor creates a potential liability as a result of its lax security.
- Companies should also ensure that access to sensitive files is granted on a project-by-project basis. They should also assess whether specific privacy rules apply in certain industries, such as financial services, before engaging in contracts with customers in that sector.
The cost of a data breach for any company can be expensive. A Ponemon Institute and IBM Security 2017 study finds that the average cost per compromised record in the U.S. was $225. Depending on the number of records breached, costs can run from the tens of thousands to a million dollars or more.
And the costs continue to add up after a breach, from investigations and legal fees to remediation, averaging $1.56 million in the U.S. Once a breach occurs, companies still have a 1 in 4 chance of suffering another breach within 2 years. Some firms might consider taking out cyber insurance to defray any costs associated with a breach.
Getting security right at construction companies requires a cultural shift. The good news is that many constructions companies already have the template in place to make this shift: their safety programs. The same approach should be used to facilitate cyber awareness and best practices across your organization. With executive leadership mandating security awareness and training, the industry can make tremendous progress in addressing this growing problem.
It will pay off when a threat actor starts looking at your business.